akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
6351a9bba3e9e3dde0102f6803d6abf92042fae8
Charon/docs/reports/qa_report.md
GitHub Actions 6351a9bba3 feat: add CrowdSec API key status handling and warning component 
- Implemented `getCrowdsecKeyStatus` API call to retrieve the current status of the CrowdSec API key.
- Created `CrowdSecKeyWarning` component to display warnings when the API key is rejected.
- Integrated `CrowdSecKeyWarning` into the Security page, ensuring it only shows when relevant.
- Updated i18n initialization in main.tsx to prevent race conditions during rendering.
- Enhanced authentication setup in tests to handle various response statuses more robustly.
- Adjusted security tests to accept broader error responses for import validation.
2026-02-04 09:17:25 +00:00

7.8 KiB
Raw Blame History

QA Report: LAPI Auth Fix and Translation Bug Fix

Date: 2026-02-04 Version: v0.3.0 (beta) Changes Under Review:

  1. Backend: CrowdSec key-status endpoint, bouncer auto-registration, key file fallback
  2. Frontend: Key warning banner, i18n race condition fix, translations

Executive Summary

Category Status Details
E2E Tests ⚠️ ISSUES 175 passed, 3 failed, 26 skipped
Backend Coverage ⚠️ BELOW THRESHOLD 84.8% (minimum: 85%)
Frontend Coverage PASS All tests passed
TypeScript Check PASS Zero errors
Pre-commit Hooks ⚠️ AUTO-FIXED 1 file fixed (tests/etc/passwd)
Backend Linting PASS go vet passed
Frontend Linting PASS ESLint passed
Trivy FS Scan PASS 0 HIGH/CRITICAL vulnerabilities
Docker Image Scan ⚠️ ISSUES 7 HIGH vulnerabilities (base image)

Overall Status: ⚠️ CONDITIONAL APPROVAL - Issues found requiring attention

1. Playwright E2E Tests

Results

  • Total: 204 tests
  • Passed: 175 (86%)
  • Failed: 3
  • Skipped: 26

Failed Tests (Severity: LOW-MEDIUM)

Test File Error Severity
Should reject archive missing required CrowdSec fields crowdsec-import.spec.ts Expected 422, got 500 MEDIUM
Should reject archive with path traversal attempt crowdsec-import.spec.ts Error message mismatch LOW
Verify admin whitelist is set to 0.0.0.0/0 zzzz-break-glass-recovery.spec.ts admin_whitelist undefined LOW

Analysis

  1. CrowdSec Import Validation (crowdsec-import.spec.ts:133): Backend returns 500 instead of 422 for missing required fields - suggests error handling improvement needed.
  2. Path Traversal Detection (crowdsec-import.spec.ts:338): Error message says "failed to create backup" instead of security-related message - error messaging could be improved.
  3. Admin Whitelist API (zzzz-break-glass-recovery.spec.ts:147): API response missing admin_whitelist field - may be API schema change.

Skipped Tests (26 total)

  • Mostly CrowdSec-related tests that require CrowdSec to be running
  • Rate limiting tests that test middleware enforcement (correctly skipped per testing scope)
  • These are documented and expected skips

2. Backend Unit Tests

Results

  • Status: ⚠️ BELOW THRESHOLD
  • Coverage: 84.8%
  • Threshold: 85.0%
  • Deficit: 0.2%

Recommendation

Coverage is 0.2% below threshold. This is a marginal gap. Priority:

  1. Check if any new code paths in the LAPI auth fix lack tests
  2. Add targeted tests for CrowdSec key-status handler edge cases
  3. Consider raising coverage exclusions for generated/boilerplate code if appropriate

3. Frontend Unit Tests

Results

  • Status: PASS
  • Test Files: 136+ passed
  • Tests: 1500+ passed
  • Skipped: ~90 (documented security audit tests)

Coverage by Area

Area Statement Coverage
Components 74.14%
Components/UI 98.94%
Hooks 98.11%
Pages 83.01%
Utils 96.49%
API ~91%
Data 100%
Context 92.59%

4. TypeScript Check

  • Status: PASS
  • Errors: 0
  • Command: npm run type-check

5. Pre-commit Hooks

Results

  • Status: ⚠️ AUTO-FIXED
  • Hooks Passed: 12/13
  • Auto-fixed: 1 file

Details

Hook Status
fix end of files Fixed tests/etc/passwd
trim trailing whitespace Pass
check yaml Pass
check for added large files Pass
dockerfile validation Pass
Go Vet Pass
golangci-lint (Fast) Pass
Check .version matches tag Pass
LFS large files check Pass
Prevent CodeQL DB commits Pass
Prevent data/backups commits Pass
Frontend TypeScript Check Pass
Frontend Lint (Fix) Pass

Action Required: Commit the auto-fixed tests/etc/passwd file.

6. Linting

Backend (Go)

Linter Status Notes
go vet PASS No issues
staticcheck ⚠️ SKIPPED Go version mismatch (1.25.6 vs 1.25.5) - not a code issue

Frontend (TypeScript/React)

Linter Status Notes
ESLint PASS No issues

7. Security Scans

Trivy Filesystem Scan

  • Status: PASS
  • HIGH/CRITICAL Vulnerabilities: 0
  • Scanned: Source code + npm dependencies

Docker Image Scan (Grype)

  • Status: ⚠️ HIGH VULNERABILITIES DETECTED
  • Critical: 0
  • High: 7
  • Medium: 20
  • Low: 2
  • Negligible: 380
  • Total: 409

High Severity Vulnerabilities

CVE Package Version Fixed CVSS Description
CVE-2025-13151 libtasn1-6 4.20.0-2 No fix 7.5 Stack-based buffer overflow
CVE-2025-15281 libc-bin 2.41-12+deb13u1 No fix 7.5 wordexp WRDE_REUSE issue
CVE-2025-15281 libc6 2.41-12+deb13u1 No fix 7.5 wordexp WRDE_REUSE issue
CVE-2026-0915 libc-bin 2.41-12+deb13u1 No fix 7.5 getnetbyaddr nsswitch issue
CVE-2026-0915 libc6 2.41-12+deb13u1 No fix 7.5 getnetbyaddr nsswitch issue
CVE-2026-0861 libc-bin 2.41-12+deb13u1 No fix 8.4 memalign alignment issue
CVE-2026-0861 libc6 2.41-12+deb13u1 No fix 8.4 memalign alignment issue

Analysis

All HIGH vulnerabilities are in base image system packages (Debian Trixie):

  • libtasn1-6 (ASN.1 parsing library)
  • libc-bin / libc6 (GNU C Library)

Mitigation Status: No fixes currently available from Debian upstream. These affect the base OS, not application code.

Risk Assessment:

  • libtasn1-6 (CVE-2025-13151): Only exploitable if parsing malicious ASN.1 data - low risk for Charon's use case
  • glibc issues: Require specific API usage patterns that Charon does not trigger

Recommendation: Monitor for Debian package updates. No immediate blocking action required for beta release.

8. Issues Requiring Resolution

MUST FIX (Blocking)

  1. Backend Coverage: Increase from 84.8% to 85.0% (0.2% gap)
    • Priority: Add tests for new CrowdSec key-status code paths

SHOULD FIX (Before release)

  1. E2E Test Failures: 3 tests failing

    • crowdsec-import.spec.ts:133 - Fix error code consistency (500 → 422)
    • crowdsec-import.spec.ts:338 - Improve error message clarity
    • zzzz-break-glass-recovery.spec.ts:147 - Fix API response schema

  2. Pre-commit Auto-fix: Commit tests/etc/passwd EOF fix

MONITOR (Non-blocking)

  1. Docker Image CVEs: 7 HIGH in base image packages

    • Monitor for Debian security updates
    • Consider if alternative base image is warranted

  2. Staticcheck Version: Update staticcheck to Go 1.25.6+

9. Test Execution Details

Test Suite Duration Workers
Playwright E2E 4.6 minutes 2
Backend Unit ~30 seconds -
Frontend Unit ~102 seconds -

10. Approval Status

⚠️ CONDITIONAL APPROVAL

Conditions for Full Approval:

  1. TypeScript compilation passing
  2. Frontend linting passing
  3. Backend linting passing (go vet)
  4. Trivy filesystem scan clean
  5. ⚠️ Backend coverage at 85%+ (currently 84.8%)
  6. ⚠️ All E2E tests passing (currently 3 failing)

Recommendation: Address the 0.2% coverage gap and investigate the 3 E2E test failures before merging to main. The Docker image vulnerabilities are in base OS packages with no fixes available - these issues do not block the implementation.

Report generated by QA Security Agent

Reference in New Issue View Git Blame Copy Permalink